In my previous post we have ISE 1.3 and vWLC 7.6 setup with basic 802.1x configration, in this post we are going to go further to configure EAP-TLS certificate base authentication using ISE internal CA, a new feature introduced in 1.3. We are also going to configure the self onboarding capability, which allows the end users can register their own devices and install certificate on their own devices.
1. First of all, configure Captive Bypass on WLC so that the captive portal will not automatically prompt up when you connect the BYOD SSID. It has to be done using CLI.
config network web-auth captive-bypass enable
And you need to reload your vWLC after config this.
2. ISE > Administration > Network Resources > Network Devices, add your vWLC. 192.168.24.70 is my vWLC IP address.
3. We are going to use the ISE internal CA to sign the endpoint cert, therefore no external identity source is needed. Administration > Identity Management > Identity Source Sequences to add a new Identity Source Sequence.
4. ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols to create a new Allowed Protocols Services List.
5. ISE > Policy > Authentication to add a new authentication policy.
6. ISE > Policy > Policy Elements > Results > Authorization > Authorization Profiles to create 2 authorization profiles, one for full network access and the other dedicated to supplicant provisioning
Create ACL on vWLC to permit all for users after authentication.
Create another authorization profiles for supplicant provisioning.
Create ACL on vWLC to allow access to DNS and ISE BYOD portal during the supplicant provisioning stage.
Make sure your ISE FQDN is resolvable from DNS. I have added a DNS host record in my DNS server 192.168.24.2.
7. ISE > Policy > Authorization to add two rules. The rule "Employee Personal Device" and "Reg with ISE TLS". For those devices that are not registered before, it will be redirected to the BYOD portal and install the certificate on the devices.
8. ISE > Policy > Client Provisioning, I am an iPhone users and I have only configured iOS in my lab. For other platforms it should be similar.
9. Since I am using FlexConnect, make sure you have created the FlexConnect ACL otherwise the client cannot reach the ISE page:
This is the Screen Capture on my iPhone when it first connects to the BYOD SSID.